10.1 Understanding Data Policies

Customer, Global, or Data administrators can use default data policies or select the type of data to monitor and specify criteria to create additional data policies to generate collection and publication details to help them make informed governance decisions. Data policies enable administrators to:

  • Detect data with specific conditions such as permissions with permission assignment end date as today or accounts with privileged account status

  • Detect anomalies or inconsistencies in the published data such as detect users without supervisors or permissions with risk > 100

  • Generate statistics such as number of groups in collected data or number of permissions without owners

  • Monitor changes to attribute values such as cost or risk

  • Monitor changes to entities such as 25% increase in number of accounts or number of users added to the catalog since last collection or publication

  • Initiate remediation action for anomalies or inconsistencies such as email alerts, micro certification, or change request

  • Compare collection and publication details from the same data source at two different collection or publication times

Scenario 1: To discover accounts that are not being used actively, an administrator can create an account data policy and specify that the policy should detect any accounts have a last logged in date which is earlier than a desired time period before the current date and that an immediate micro certification review should be done for these accounts.

Scenario 2: To detect permissions that are being inherited in applications, an administrator can create a permission assignment data policy and specify that the policy should detect application permission and add condition that the permission assignment type should be inherited. To narrow results they can add other conditions such as permission name, permission unique application ID, or permission risk. Administrators can also trigger change requests for these inherited permissions if needed.